A risk register is a vital component of an organization’s risk management strategy. Having a risk register allows you to understand potential risks that could impact your organization so that you can take the necessary steps to mitigate those risks and protect your organization from threats. If you treat your risk register as a dynamic part of the process of identifying, analyzing, prioritizing and mitigating risk, it becomes a valuable resource that evolves as your organization evolves. But if you’re not diligent enough, your risk register could become cluttered with vulnerabilities instead of risks.
The Problem With Risk Register Guidance
Having a risk register is key, and many resources outline best practices for creating one and walk you through how to build a risk register for your business. And yet, there isn’t a lot of advice on what exactly should go on a risk register, aside from asking as many people as possible in your organization what they think should be included in it.
I’ve also seen recommendations in the project management sphere for including what they call risk scenarios on a risk register. However, these recommendations blur the line between threats, vulnerabilities and the actual risk to your organization. For example, if you’re on top of vendor management and you have several vendors that have been identified as high-risk, should those go on your risk register? What about a vulnerability that your organization has decided not to act on or different weather-related threats such as hurricane season or blizzards?
This lack of differentiation can play against your own cognitive biases and cause you to overlook crucial dependencies between threats and risks that aren’t obvious or top of mind for your organization’s leadership. This can lead to a false sense of confidence about your organization’s risk posture and blind spots that can be exploited by threat actors and put your organization in jeopardy.
The Difference Between Threats, Vulnerabilities and Risks
The first thing you really need to understand is the difference between threats, vulnerabilities, and risks because the relationship between these three concepts is crucial if you are measuring and monitoring your risk posture.
Threats are events or actions that could cause harm to your business by exploiting vulnerabilities. Threats can be loosely divided into two categories:
- Non-adversarial – which includes environmental, structural or accidental actions and events
- Adversarial – your garden variety threat actors doing reconnaissance and using attack tools, activities and malicious capabilities against your organization
Vulnerabilities are weak points in your organization’s structure, processes, architecture, culture, etc., that a threat can push on and cause potential harm to your business. Vulnerabilities can come in all shapes and sizes – from a server that needs to be patched or a backup data center that’s in close proximity to the primary data center, to a lack of security awareness training or an organization that’s going through a leadership transition.
Risks are the potential harm your organization could face when a vulnerability is exploited. Inherent risk is risk that has not been addressed with controls and can be influenced by your organization’s vulnerabilities. Residual risk is risk that remains after controls have been implemented and vulnerabilities have been addressed.
A Better Way to Build Your Risk Register
I am a type-A list maker. It’s how I keep track of everything that needs to get done so that I can keep all of the plates in my life and my family’s life spinning. I have lists for groceries, meal planning, packing for travel, household chores, seasonal bucket lists, task lists. You name it, I’ve probably got it written down somewhere.
I make lists because I know that my brain can only hold so much information and cannot be counted on to remember every little thing that needs to be done/packed/acted on. I also know that expecting my brain to generate this information without guidance multiplies my mental workload and increases the chance that as I’m making these lists, I will forget something crucial or miss a dependency that needs to be accounted for.
I take the same approach when we talk about risk registers. If I start with a blank page, I am placing an expectation on myself and my colleagues to be able to think of every single risk that might impact our business. I’m not saying that your organization can’t find some success in approaching a risk register this way. You absolutely can. But there are two very important things to keep in mind.
First, there are only so many actual risks that can impact your organization. I would even venture to say that the list is finite and smaller than you’d think.
And second, if you start with a risk register that’s already been built, such as those created by the Secure Controls Framework or based on NIST recommendations, you have a jumping-off point to launch your risk management platform instead of trying to build the platform yourself from scraps.
But what if you want to add custom risks to your risk register? What I’ve often found is that custom risks are actually not risks at all. They’re vulnerabilities that are masquerading as risks and corrupting your risk register. Remember that high-risk vendor that your organization has a relationship with? That vendor is a weak spot for your organization that a threat could exploit, which makes it a vulnerability and not a risk. The risk in this situation could be things like lack of oversight of third-party controls, inadequate third-party practices or diminished reputation. This difference, however small, is important to understand what risks your organization is actually taking on.
Because while the threat landscape is ever-evolving and vulnerabilities can change and multiply, the impact to your organization (i.e. your risks) is actually very concrete and prescriptive.
The Power of Risk Relationships
Using a prescriptive approach to your risk register is the first step in understanding the connectedness between risks, threats, vulnerabilities and controls. Mapping threats to risks allows you to understand how each threat increases or decreases the likelihood that a specific risk occurs.
Mapping controls to risks illustrates how your compliance activities are reducing your residual risk, quantifying the value of your security program. Mapping vulnerabilities to risks shows how your organization could be impacted if vulnerabilities are not addressed, allowing you to prioritize the ones that are most impactful to your organization. This information provides a single pane of glass into your organization’s risk posture so that you can take control of your risk exposure and develop a more effective and sustainable risk management strategy.
The RiskOptics ROAR Platform gives you the ability to see, understand and take action on your IT and cyber risks. With a unified, real-time view of risk and compliance-framed around your business priorities-you’ll have the contextual insight needed to easily and clearly communicate with key stakeholders to make smart, strategic decisions that will protect your enterprise, systems and data, earning the trust of your customers, partners and employees.
Schedule a free demo today to see the RiskOptics ROAR Platform in action.